(1) Field of the Invention
The present invention relates to an encryption apparatus, a decryption apparatus, a secret key generation apparatus and a copyright protection system for protecting copyright for transmitting a digital work via a recording medium or a transmission medium. In particular, the present invention relates to a technique of protecting against an attack enacted by replacing a Certificate Revocation List for specifying revoked public key certificates.
(2) Description of the Related Art
When a first device transmits a digital work to a second device, the first device authenticates the second device (or the first and second devices mutually authenticate). The authentication is performed before the transmission so as to prevent a copyright infringement by unauthorized obtainment. In other words, the authentication is a means to make sure whether the person on the other side of the communication is a person intended to be there for communication.
One of the examples in using a public key encryption is as follows: the first device sends a random number to the second device, then, the second device encrypts the random number using its own secret key (e.g., digital signature) and returns the encrypted text to the first device, and finally, the first device verifies the returned encrypted text (or the digital signature) using the public key held by the second device. However, in the authentication based on such public key encryption, it is presupposed that the public key is valid.
In recent years, an organization or a company called “certificate authority” issues a “public key certificate” indicating that a public key is authorized for each user (a “guarantee” for a public key). Among the issued public key certificates, for those with expired validity or those possessed by the user who has illegally conducted or who has his/her secret key stolen, Certificate Revocation List (hereinafter to be referred to as “CRL”, “public key certificate revocation list” or “revocation list”) indicating a list of information for specifying revoked public key certificates is issued in order to nullify such certificates (in order to inform other users of the revoked public key certificates).
It is possible to prevent an error of transmitting an important digital work to an unauthorized person by obtaining a public key certificate from a person on the other side of communication so as to authenticate the person using the public key possessed by the person, and performing the authentication as described above after confirming that the obtained public key certificate is not registered in the CRL (i.e., nullified).
It should be noted that, in some cases, the verification of a public key is performed using only a public key certificate (see reference to Japanese Patent Publication No. 3199119 (pp. 2)). However, this does not work for the public key certificate possessed by the user who has illegally acted or the user who has had his/her own secret key stolen.
However, not all the computers can always obtain a proper CRL so as to check the validity of the public key certificate issued for the person at the other end of the communication. This is a defect in the authentication based on the CRL and illegal conducts are enacted by taking advantage of the defect.
For example, in the case where a device, such as a Digital Video/Versatile Disc (DVD) for replaying a DVD on which a digital work such as a movie is recorded, obtains the latest CRL via the DVD (i.e., reads out the latest CRL recorded on the DVD) and employs the method of authentication with reference to the CRL for a partner device (e.g., a computer that activates an integrated replay processing circuit or replay software), there is a possibility that the CRL may be replaced with the old one in the process of reading out the CRL. The problem therefore is that the digital work may be obtained illegally with a revoked key that is not yet registered in the replaced and old CRL, whereas the public key would have been registered as a revoked public key certificate in a proper (i.e., the latest) CRL.
In order to overcome such a problem, the encryption apparatus, the decryption apparatus, and the copyright protection system are invented for realizing a prevention of the replacement of the CRL and a safe transmission of a digital work (see reference to Japanese Patent Application No. 2002-259514).
On one hand, in the encryption apparatus according to this conception, the following operations are performed: an attribute value calculation unit calculates an attribute value which depends on the information in the CRL that is a list of information for specifying revoked public key certificates; a modification unit modifies, using the attribute value calculated by the attribute value calculation unit, a second secret key associated with the decryption apparatus that decrypts an encrypted digital work; a first encryption unit encrypts a first secret key used for the encryption of the digital work using the second secret key modified by the modification unit; a second encryption unit encrypts the digital work using a first secret key; and an output unit outputs, to the storage medium or the transmission medium, the CRL, the first secret key encrypted by the first encryption unit and the digital work encrypted by the second encryption unit.
On the other hand, in the decryption apparatus according to this conception, an obtainment unit obtains, via a storage medium or a transmission medium, an encrypted digital work, an encrypted first secret key generated by encrypting the first secret key used for the encryption of the digital work, and an CRL that is a list of information for specifying revoked public key certificates; the attribute value calculation unit calculates, based on the obtained CRL, an attribute value that depends on the contents of the CRL; the modification unit modifies, using the attribute value calculated by the attribute value calculation unit, a second secret key which is specific to the decryption apparatus and is already held by said apparatus; a first decryption unit decrypts the obtained encrypted first secret key using the second secret key modified by the modification unit; and a second decryption unit decrypts the encrypted digital work obtained by the obtainment unit using the first secret key decrypted by the first decryption unit.
Thus, the encryption apparatus outputs the encrypted digital work, the encrypted first secret key generated by encrypting the first secret key used for the encryption of the digital work, and the CRL. However, the encrypted first secret key is the first secret key encrypted by the second secret key being a key which is not only associated with the decryption apparatus, but also in which the CRL is involved. In the case where the CRL is replaced with the old one, the information related to the CRL for the pre-held second secret key is changed. Therefore, the decryption apparatus which has received the encrypted digital work, the encrypted first secret key and the CRL cannot decrypt the encrypted first secret key into the original first secret key with the use of the second secret key thus transformed. Consequently, the decryption apparatus cannot properly decrypt the encrypted digital work, and it is possible to safely transmit a digital work allowed by the function to prevent the attack enacted by replacing the CRL.